How to Hide Server Signature of Nginx & PHP Version on Linux Distos like Ubuntu, CentOS, RHEL, ArchLinux, OpenSuse, etc. Server Signature is type of foot-printing in which the version number of web server module like Ngnix and PHP are considered as known by attackers for collection of data for foot-printing of servers by using the simple Linux commands or using some tools or some web browsers for hiding the server signature is necessary to remove the information from the sets to secure the web servers from the external attacks.

How to Hide Server Signature of Nginx & PHP Version on Linux

Step-1

First verify if server is showing Nginx version or not by the command

# curl -I http://www.techbrown.com

Sample Output

HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Fri, 5 Jun 2015 11:38:47 CDT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.4.23
Set-Cookie: CACHED_FRONT_FORM_KEY=bCunlLxt1Sw1qHfw; path=/
P3p: CP="CAO PSA OUR"
WCN-WEB01: WCNWEB01
Step-2

Goto nginx.conf

# vi /etc/nginx/nginx.conf

Add below parameter and save

server_tokens off;

Like this

user nginx;
worker_processes 4;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events { worker_connections 1024; }
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
' $status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
server_tokens off;
gzip on;
gzip_static on;
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_buffers 16 8k;
gzip_vary on;
## Detect when HTTPS is used
map $scheme $fastcgi_https
{
default off;
https on;
}
include /etc/nginx/conf.d/*.conf;
Step-3

Then goto php.ini file and set expose_php = Off

# vi /etc/php.ini
expose_php = Off

Note: (O must be capital)

Step-4

Reload Nginx and php-fpm services and check again

# curl -I http://www.techbrown.com

It must now hide version and server signature as

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 5 Jun 2015 11:56:03 CDT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: CACHED_FRONT_FORM_KEY=NX3yUkgwxgJwQRLR; path=/
P3p: CP="CAO PSA OUR"
WCN-WEB01: WCNWEB01

Final Words:

Hiding the server signature is the first task of every system administrator to protect the web server from the external attacks and providing this extra layer of security. The server signature is default enabled on the Ngnix and PHP version this article shows how it can be hided.